lightning-dev
Full Disclosure: CVE-2023-40231 / CVE-2023-40232 / CVE-2023-40233 / CVE-2023-40234 "All your mempool are belong to us"
Original Postby Matt Morehouse
Posted on: October 16, 2023 22:10 UTC
The email discusses the two main ways of spending an "offered" HTLC txout.
The first option involves a presigned multisig covenant transaction that pays to the offerer, also known as the HTLC-timeout transaction. This option can only be spent by the offerer since it uses a presigned covenant held by them. The second option requires the receiver's signature and the preimage. Only the receiver can spend via this path.
The email provides a link to the exact script used for these transactions, which can be found at https://github.com/lightning/bolts/blob/master/03-transactions.mdoffered-htlc-outputs.